back to article Natwest's Get Cash app pulled, but NOTHING to do with frauds

Natwest has pulled a feature on its banking app that lets users get cash without a bank card. The removal of "Get Cash" from the app comes two days after reports that a fraudster used the feature to "get cash" - from another person's account. The BBC reported that a Natwest customer had been diddled out of £900 through a thief …

COMMENTS

This topic is closed for new posts.
  1. frank ly
    Facepalm

    A 6-digit PIN gives 'emergency' cash to anyone who types it in

    What could go wrong?

    1. sugerbear

      Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

      This is what I would worry about, the chances of guessing are 999,999 to 1 but if enough people use it then there is a fair chance that at some stage someone will guess one correctly.

      Why not enter you account number or some other reference no instead (maybe your DOB even).

      1. JakeyC

        Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

        "maybe your DOB even" - really?

        You think that offers MORE security than a random 1-in-a-million chance?

        Assuming I don't even know you, I can already narrow your DOB down to about 1 in 30,000.

        More realistically, I can assume you'll be in a certain age range (i.e. probably of working age) which improves my chances no end.

        If I know you, I have your money.

        What was your first pet's name, just out of curiosity?

        1. TRT Silver badge

          Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

          BOTH the PIN and the DOB to show that the person given the PIN is the one using it.

        2. wowfood

          Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

          I think he meant 'as well as' not "instead of"

          So it'd be something like

          Insert DoB dd/mm/yy

          Insert the 6 digit pin.

          or perhaps a couple different security things. Most of these accounts have passwords now (I have no idea what mine is) so it could ask you for the generated pin and a random bit of info, password, DoB, mothers maiden name, the usual bollocks.

          1. Anonymous Coward
            Anonymous Coward

            Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

            How about adding some degree of physical security, a card maybe which you can insert into the machine, something that identifies you and your account?

      2. JDX Gold badge

        Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

        >>the chances of guessing are 999,999 to 1 but if enough people use it then there is a fair chance that at some stage someone will guess one correctly.

        Presumably the code has a time expiry too.

    2. Neonin

      Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

      Well, the mobile app generated a pin number once you told it how much you wanted to withdraw. You then went to one of the ATMs that supported the feature, pressed the "Enter" key, typed in the pin, typed in the pin again, and then you had to type in the amount that the pin was generated for. So, assuming said ATM didn't tell you that it was an invalid pin after the first input, you then would have to correctly guess from £10 to £100 on top for each combination, multiplying the odds of a correct guess considerably. Also, the pin generated becomes invalid after a couple of hours.

      I have used it and thought it could be very handy for letting someone else get money out in an emergency. It would be interesting to find out the exact details of what happened, as it seems a telephone call was mentioned and I never had to make said call, it was just one of the options available and was something you could do even without the mobile app.

      1. Anonymous Coward
        Anonymous Coward

        Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

        >"the mobile app generated a pin number"

        "PIN number"

        Aaaaaaaaaaaaaarrrrrrrrrrrrrrrrrrrrggggggggggggggggghhhhhhhhhhhh!!!!!!!!!!!

      2. JakeyC

        Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

        I wonder if they implement rate limiting?

        If not, you could theoretically get a gang of 10,000 criminals to try 100 PINs each, all over the country.

        Assuming there's more than one user of the app, several of those PINs will be valid over a 2-hour period.

        And trying 50 an hour sounds feasible to me.

    3. Anonymous Coward
      Anonymous Coward

      Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

      I'm not totally familiar with this app, but I think that you have to put in your internet banking personal ID number, I also seem to recall that you need to nominate the ATM you're going to use, but that may be the general emergency cash option that RBS/NatWest have offered for a long time with no problem.

    4. Anonymous Coward
      Anonymous Coward

      Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

      It's a one-time-use 6 digit PIN that can only be used on cash machines within a certain area. To get that 6 digit pin for emergency cash you'd first need my smartphone (since the mobile banking account is tied to that specific app on that specific phone) and then you'd also need another 6 digit PIN to get into the app in the first place.

      Seems reasonably secure to me.

      1. Anonymous Coward
        Anonymous Coward

        Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

        as to the *like a card* comment, it's for emergency cash - you know, like when you lose your wallet or get robbed...

        Which makes me ponder the 9 times thing, my bank go ape if I try to do things mildly odd (and on occasion completely normal like getting my groceries) so requesting emergency cash 9 times would have my account locked faster than you can phone up 3 times...

        1. A Known Coward
          FAIL

          Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

          So you and four other people had a sense of humour failure then? I think you'll find that it was a joke

  2. Anonymous IV

    Unfounded allegations?

    "According to a Natwest spokesperson it was likely that the fraud victim interviewed on the BBC's Moneybox programme had given out his details to phishers which is how his account got hijacked."

    The fraud victim denied this, and Nat West put forward no evidence to support their allegation. I have no evidence that Nat West's security precautions are unbreakable...

    1. wowfood

      Re: Unfounded allegations?

      But at the same time whenever you do this kind of thing they ask you for your name, dob, first line of address / postcode and some kind of password.

      The victim can deny it all they want, but odds are, they got caught out somewhere. Flat out denying it is impossible, i'm sure my details are probably floating about somewhere, I'd hope not, but in all likelyhood they are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unfounded allegations?

        name, dob, first line of address / postcode and some kind of password.

        And thanks to people on Facebook we know all this now.

        hell you don't even have to use it to get done by it.

        "Hey it's Fred's Smith's 25th on Thursday, do you know if he's planned anything?"

        Well thanks for the DoB and Full name, half way there.

        I also know many of my friends mothers maiden names and pet names, all thanks to the wonderful world of social medai (that I hardly use)

      2. Anonymous Coward
        Anonymous Coward

        Re: Unfounded allegations?

        "The victim can deny it all they want, but odds are, they got caught out somewhere. Flat out denying it is impossible, i'm sure my details are probably floating about somewhere, I'd hope not, but in all likelyhood they are."

        But in at least one of the cases mentioned over the weeked the victim had signed up for electronic banking and not for mobile banking which is needed to generate the PINs. He should have received a letter from the bank confirming that it had been set up but had not (and bank didn't seem to be able to state that a letter had been sent other than saying that as mobile banking was used someone must have set it up so a letter would have been sent to him)

        Was another case where someone had had a bank card stolen overseas - victim noticed within minutes that he'd lost wallet and immediately phone the bank to cancel the card ... but during the 20 mins he waited "on hold" somehow several £1000 were removed from his account via ATMs and purchases - bank then refused to refund him as they said he must have had his PIN number written down as all transactions came through as validated - though victim denied this as he has never used his PIN number (and bank confirmed this).

        And in all these cases the banks are taking the line of "our security procedures are now robust so you must have done something to enable these transactions to occur ... and we can't give you any more details on these transactions as that might compromise our security procedures"

        1. Anonymous Coward
          Anonymous Coward

          Re: Unfounded allegations?

          Maximum allowed at a cash machine is £500 and that needs to be asked for so several thousands is bollocks

        2. Anonymous Coward
          Anonymous Coward

          Re: Unfounded allegations?

          @AC - I don't know about you, but I often dump letters from my bank into the bin (for later shredding) because I do Internet banking and anything they have to tell me gets done through that.

          Now in this particular case, I think it's more likely than not that this has happened along with the customer's PC being compromised or the customer banking from someone else's compromised PC, which would let the bad guys get access to the customer's customer number and pin.

          As for the other case that you cite - The customer must have given away their PIN in one way or another, probably by skimming. For several years now, though, the banks have had to - by law - refund this sort of fraud.

          1. Anonymous Coward
            Anonymous Coward

            Re: Unfounded allegations?

            If other people can guess my password good on them, even with the poxy clue I still used to forget the blasted thing, time and time again (I've remembered now though.)

            Not that my bank seem to use it for anything anymore... now they send me codes to my phone whenever I try and do anything *shrugs*

    2. Anonymous Coward
      Anonymous Coward

      Re: Unfounded allegations?

      If you have ever had any dealings with the Unhelpful Bank you will know never to trust anything that they say. Thus if they say that their system is unbreakable (ha, Ha no system ever is) then you can be certain it is totally and irrecoverably broken.

  3. banjomike

    Old-ish news

    This was posted here 3 days ago.

    http://forums.theregister.co.uk/forum/1/2012/10/06/ContentsMayVary_Natwest_suspending_Get_Cash_app_any_info_on_The_Reg_about_this/

  4. Anonymous Coward
    Anonymous Coward

    Get Cash app

    Does what it says on the box.

    Just does it for anyone it seems.

  5. Anonymous Coward
    Anonymous Coward

    More than likely they were infected by one of those recent strains of mobile banking trojan; perhaps even something specifically targeting the Get Cash app, but that's pure speculation with no basis in fact.

    I wouldn't trust anyone who can get owned that badly to have a reliable opinion on how it happened, to be honest with you.

  6. Anonymous Coward
    Anonymous Coward

    I think the company is called "Tesco".

  7. squilookle
    Devil

    If this was planned, then surely we would have a date for the return of the service sooner and more specific than "next week at the earliest". I have seen this advertised so I would be surprised if they were planning to just pull it and leave it unavailable for any significant length of time.

    I don't really care about this service as i have never used it, but after the recent mess made by the last disaster they suffered, you would think they would have learnt to be honest with their customers and that, for me, is the issue here - I don't think they are being honest.

  8. auburnman
    FAIL

    Bloody hell NatWest

    Capping this emergency withdrawal to £100 should have worked to limit the damage. If I'd been robbed of a hundred quid like this I'd be a bit miffed, but as long as the bank sorted it out I'd probably be happy overall that I had this facility at my disposal. If however I found out that they had allowed NINE separate "emergency" withdrawals without challenging it and nine hundred of my hard-earneds were burning a hole in some chav's pocket, I would lose the plot.

    Also - It's a bloody phone app FFS - why wasn't it locked down to the registered mobile number of the account holder?

    1. Anonymous Coward
      Anonymous Coward

      Re: Bloody hell NatWest

      The reports said that the customer was not registered for mobile banking yet the facility was supposed to be based on the mobile banking service to which he was NOT subscribed.

      I guess NitWit bank thought (in so far as they can think) "Oh look no number registered they must all be OK". Incompetent does not even scratch the surface of their failures.

      1. Captain Scarlet
        Facepalm

        Re: Bloody hell NatWest

        Not a Natwest Customer are you.

        When you register for Internet Banking with Natwest those same details also work for phone banking (When I signed up it clearly stated I would get access to both using the same security details).

        Also fail Natwest should never have allowed someone to use the function 2 times let alone 9 times in a few days

  9. Jelliphiish
    Coat

    unfortunate font

    initialy read that as Get Gash...and that's a whole 'nutha App .

    mine's the one set to vibrate in the pocket

  10. Anonymous Coward
    Anonymous Coward

    Get Cash app

    I've used this a couple of times for scambaiting.

    1) Lad sends an email promising you an ATM card preloaded with x million dollars.

    2) Ask lad for a scan of the ATM card to prove he's genuine.

    3) Tell lad you've withdrawn $5000 using the app and "card" details, and thank him.

    AC because scambaiters are shy retiring people.

  11. Anonymous Coward
    Anonymous Coward

    I know of

    At least seven cases of "phantom withdrawing" that have been confirmed as not when the CCTV of the stupid chav is shown in court

  12. mickey mouse the fith

    Banks are fibbers....

    Years ago (1980`s) I used my cashcard at an atm and was presented with someone elses account. Being a broke student, I withdrew the maximum £50 (i think) and never heard anything about it, or had it happen again.

    Maybe there was a bit of dirt on the magstrip or something that screwed it up as it only happened the once and putting the card back into the same atm a few minutes later showed my account as normal.

    So atm`s are not 100% reliable and secure (or wernt 25 years ago) as banks make out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Banks are fibbers....

      That sounds like absolute balls.

      1. Anonymous Coward
        Anonymous Coward

        Re: Banks are fibbers....

        You mean you really hope that's absolute balls.

        I have the same hope, unfortunately I'm less convinced of it.

      2. mickey mouse the fith

        Re: Banks are fibbers....

        Unfortunately not balls. Something screwed up and I trousered £50 free.

        I would like to think atm`s are a bit more reliable now.

    2. pig

      Re: Banks are fibbers....

      Sounds about right.

      My uncle fixes cash machines and refused to use them until about 15 years ago, before that he fixed them but withdrew his money from the counter.

      Security at that time was a joke, so much so that the emergency legislation - to block reporting of issues - was used (twice I think?) in the 80's for cash machine security issues. From memory once it was for the 'everyone has the same default pin' issue and the other for being able to access any account if you created a card withh the mag strip set a certin way.

      Security now is much, much better, but banks are still bastards.

      The last time I had money stolen (£600 of Ryanir flights appearing from nowhere) they tried to say that since the card was chip and pin they wouldn't refund it. I laughed down the phone and said I would send them articles on how to get around chip and pin and they relented straight away and refunded me. My worry is how many people just take them at face value and don't get refunded, for what is in reality the banks liability.

  13. LordBrian
    Holmes

    I wouldn't trust Natwest at all

    I was told, after about 50+ SO's on my business account over a year that they "could not decline setting up a standing order if one was sent through" .... despite the fact they did not have my signature on and the accounts were all linked to cc topup accounts (I found out not Natwest who were less than interested).

    Their attitude to fraud was comical and bordered on the criminal so I wouldn't trust them if they told me the sky was blue.

  14. JaitcH
    FAIL

    The difference bewteen the Natwest CashApp and the HSBC SecureKey

    is that with NatWest it works and the SecureKey is just crap that is good for generating random numbers for use in games of chance.

    I'll have to take the SecureKey to Grosvenor Victoria Casino or Crockfords and see if works there.

  15. Jolyon Smith
    FAIL

    Natwest alleged the customer did something they shouldn't have ...

    .. by revealing personal details possibly through a phishing attack, a claim that is impossible to prove or refute.

    They did this in an attempt to deny liability for accepting a mobile banking transaction made on behalf of an account holder that had not signed up for mobile banking. Something they simply should not have done, and rendering all other discussions of the security of their systems moot. Those security systems should never even have been tested in this case.

    Kettle calling pot... colour check please ?

    1. old gray wizzard

      Re: Natwest alleged the customer did something they shouldn't have ...

      This has a long history, the following link shows the problem in 2005 and before.

      http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/

      It's no wonder I don't trust the banks, don't get me started on the "Verified by VISA" crap which forces you to give up your rights!

  16. regprentice
    Thumb Up

    I know people who loved this app and are gutted the option is withdrawn.

    They use it instead of giving their kids access to their bank cards. Little Timmy wants 20 to get leathered on white cider at the local park with his friends... just request a 20 cash withdrawal from the atm next to the park..write the six digit number down for little Timmy and he can take the cash out himself on the way there.

    1. the spectacularly refined chap

      That's what faster payments are for...

      ...wire Timmy £20 to his own smegging account and it'll be there before he gets to the ATM.

    2. Anonymous Coward
      Anonymous Coward

      Until Timmy gets hold of your mobile. Seen it happen too many times.

  17. Anonymous Coward
    Anonymous Coward

    remember that white hack hackers

    showed that they were able to read the screen text of a Mobe from 60 metres away (that's nearly 200 feet) using high resolution CCTV and a good-guessing algorithm. Assuming this 6 digit text is displayed on the mobile screen of the victim, then just have to check if there are any high resolution CCTV cameras within the 122 thousand square foot zone centered around the victim...hmmm which country has one or two CCTVs lying around?

    Another way is to illegally host your own 3G/GSM/GPRS base station using either a (hacked) nanoBTS (HomeNodeB) or an open-source OpenBTS/Asterisk/GNUradio/IMSIcatcher. The resultant Man-in-the-Middle attack on Mobile Data couldt scoop lots of credentials/secrets/App-comms. This has been tried allegedly in several places around the world, tho' I think the crims are currently going for millions of $$$ rather than £900 with this tech.

    Don't PANIC!

  18. Colin Miller

    Camera in ATM

    Most new ATMs have a small camera in them, pointing at the user.

    Do RBS group take a photo of the withdrawer of money via the EasyCash system?

    Might be useful incase the transaction is disputed. However, if the withdrawer is known to the account, it would then come down to she-said-he-said.

This topic is closed for new posts.